Ultra-low-cost True Randomness

Cryptocrat writes "Today I blogged about a new method for secure random sequence generation that is based on physical properties of hardware, but requires only hardware found on most computer systems: from standard PCs to RFID tags." Basically he's powercycling memory and looking at the default state of the bits, which surprisingly (to me anyway) is able to both to fingerprint systems, as well as generate a true random number. There also is a PDF Paper on the subject if you're interested in the concept.

A Slightly More Expensive Method

[eldavojohn]

A slightly more expensive but somehow even more random method is to seed the generator against the words and phrases that come out of the mouth of South Carolina's Miss Teen USA [youtube.com].

But in all seriousness, I wonder how this compares to the Mersenne Twister [wikipedia.org] (Java implementation [gmu.edu] & PDF [hiroshima-u.ac.jp])that I use at home? I am almost sure this new proposed method is more efficient and faster, when will there be (I know, I'm lazy) a universal implementation of it? :)

Also, this may be a stupid question, but I wonder how one measures the 'randomness' of a generator? Is there a unit that represents randomness? I mean, it would be seemingly impossible to do it using observation of the output so I guess all you can do is discuss how dependent it is on particular prior events and what they are, theoretically. Can you really say that this is 'more random' than another one because you have to know so much more before hand about the particular machine & its fingerprint in order to predict its generated number?

Random karma whore

[BadAnalogyGuy]

Randomness is definable.

Why, take a look at this Wikipedia link [wikipedia.org]. You can never tell whether it represents the truth or some crackpot's claim to it or just some troll's malicious vandalism.

Voila! Randomness!

Re:

[Mc1brew]

That link brought me to the conclusion that randomness doesn't exist as much as I thought. It uses the example of rolling dice, random right? Not really... Just too many variables to consider over the given amount of time. *Density of dice *Placement of dice in hand *Distance of hand from table *Number of dice *Potential values of dice *Density of table *etc..... By the time you write down all the variables a value has been generated. Just because you didn't have enough time to evaluate the scenario, doe

Re:

[abes]

It really depends on whether you are looking from Einstein's world view (God doesn't play dice) or Quantum mechanics world view, in which everything is assigned a probability (and therefore random). IANQM, but my understanding is that the interesting thing is how to scale the very small to the very big -- things which by their nature are ruled almost entirely to probability (particles) to things which have no randomness attached to them (>> particles).

You could in theory construct a truly random numbe

Re:

[imgod2u]

See http://en.wikipedia.org/wiki/Hardware_random_number_generator [wikipedia.org]

The method of generating random numbers that this article proposes follows the same principle. And the "randomness" that it provides becomes more random as process feature size shrinks. At 45nm, the steady-state bias (if there is one) that a circuit comes to (depending on the circuit design) is truly random in two ways:

1. If, in the case of a CMOS circuit in which the state of a flip-flop depends on charge accumulated during power-up, small

Re:

[Surt]

Indeed, there is very little to possibly zero actual randomness in the universe. Many scientists think there may be no actual randomness (just stuff for which we don't know how to examine the internal state yet).

Re:

[cowscows]

That's basically the deterministic view of the universe, where given all the rules and the initial state of the universe, you'd theoretically be able to run a simulation and predict the entire future of the whole universe (of course, to simulate the entire universe, you'd need a computer the size of the universe).

Of course, then quantum mechanics and all that jazz has come along, and one of the things it fundamentally says is that some things are entirely based on probability, and as such are not determinis

Re:

[Surt]

Indeed, and the open question is whether quantum mechanics is the bottom, and there is no more we can know that would allow us to predict quantum mechanical outcomes, or if at some deeper level, it all becomes fixed again.

Obligatory

[Zenaku]

Wait! My cheating unit malfunctioned! You gotta give me a do-over!

Re:

[name*censored*]

I think the easiest way to measure "randomness" is to (whilst keeping the environment the same) generate a massive number of "random" numbers, and check the number of occurrences of values to their expected number of occurrences. Probability would dictate that a true random number generator would return values to within a tiny margin of what would be expected. The "unit" would probably be "standard deviations" (ie, the bad random number generator has a bias for $SOME_VALUE of 2 standard deviations)

Re:

[stranger_to_himself]

123456789123456789123456789123456789123456789

That's how to test uniformity, but not randomness.

Re:

[Matje]

it is a lot more tricky than that. Test your method against the following string:

12345678901234567890

See? The distribution of digits doesn't tell you a whole lot about the randomness of a stream.

A nice way to define randomness is using Kolmogorov Complexity. A random number then is a number that cannot be represented by a program (in some code language) that is shorter than the random number itself. In other words: if the smallest program that outputs number X is the program "print X" then X is considered a

Re:Kolmogorov complexity not tractable - compressi

[arth1]

For instance, in the 123456789012345678901234567890 sequence example, any self-respecting compressor such as Zip would create something like "1234567890 times 3", which is pretty close to the shortest program which generates the sequence.

perl -e 'print 1..9,0..9,0..9,0'

Re:

[WombatDeath]

I think you'd also need some means of defining the randomness of distribution in your sequence. For instance, 01010101010101010101010101010101 doesn't look very random.

Re:

[MillionthMonkey]

Compress it and measure the compression ratio (entropy). It can be used to determine a probability distribution with confidence intervals so that there is a 90%, 99% etc. probability that the source is truly random.

Re:

[spikedvodka]

Every time some article mentions "Random numbers" the question is raised: What exactly is a random number?

and every time, everybody disagrees...

once again... for the record... From My CS classes:

A number sequence can be defined as "Sufficiently Random" if the simplest algorithm to generate said sequence is shorter than the sequence itself.

ergo: 012346567890123465678901234656789012346567890123465678901234656789 Ain't Random
for i=0, i50,i++{
print (i mod 10);
}

Re:

[Surt]

The problem everyone has with that definition is that it's unmeasurable, because we don't know how to generate the shortest program for a given sequence.

Re:

[MCraigW]

And it is language dependent.

Re:

[Surt]

An excellent point. On reflecting on this comment, I realized it would be relatively trivial to design a language for which the shortest program expressing any given sequence was a single character.

Re:

[Intron]

int random()
    i++;

Every value of i is equally represented. Must be a perfect random number generator.

Re:

[maxwell demon]

Would you consider the digit sequence of pi to be a random sequence? AFAIK up to now it has passed every normality test thrown to it. Yet I'm not willing to consider that sequence as random. After all, you can calculate any digit you want (it may take some time and computing power, though). So there's absolutely nothing unpredictable about them.

Re:

[JesseL]

If it's truly random, there is a very real possibility that the stream will be very compressible. You could even end up randomly generating the complete works of Shakespeare.

Just because something is random, doesn't mean you won't be able to assign patterns to it after the fact; it only means you couldn't have predicted the patters beforehand.

Re:

[JesseL]

To illustrate:
A random number generator would have an equal probability of generating any of these strings of bits,
011010011010
000000000000
111111111111
010101010101
101010101010

Re:

[kryptkpr]

I think you're mixing up "Random" and "Fair". Something can still be random without being fair (casino slot machines come to mind, they have to be made unfair or they wouldn't be profitable but they have to be random to be legal).

To use your example, a fair RNG would indeed be equally likely to generate all of the above strings. But with equal likelyhood, any other 12-bit sequence can also be generated. Compression works by assigning symbols to recurring sequences, where these symbols can be stored in le

Re:

[ChatHuant]

A random number generator would have an equal probability of generating any of these strings of bits,
011010011010
000000000000
111111111111
010101010101
101010101010


Of course, equal probability does not guarantee the randomness of your output: your generator may for example be a simple counter, going 000000, 000001, 000010 and so on. Not random at all, but it satisfies your requirement. So, equiprobability is a must have, but independence is also required

True randomness is really difficult to ascerta

Re:

[NetCow]

Mersenne Twister is not a random number generator, it's a pseudo-random number generator.

Randomness is measured as entropy. See here for details: http://mathworld.wolfram.com/Entropy.html [wolfram.com]

How it compares to the Mersenne Twister

[benhocking]

The Mersenne Twister is a pseudo-random number generator. For many uses, this is preferable to a true random number generator as it is easily repeatable. (One can also repeat the results of a true random number generator by storing the output, but depending on how many random numbers you're generating, this might be space intensive.)

That said, although this might be "true" randomness, what kind of randomness it is? Uniform over a range? Gaussian? Weibull? Most likely, none of the above if it can be used for fingerprinting systems. (No, I did not RTFA.)

Fingerprinting

[jgoemat]

Most likely, none of the above if it can be used for fingerprinting systems. (No, I did not RTFA.)

Basically some bits are more likely to be 0, some are more likely to be 1 and some are apparently random. Many cycles are done to identify which bits fall into which category. The ones more likely to be 0 or 1 are used to determine the fingerprint. The ones that appear to be totally random are used to generate random data.

Re:Fingerprinting

[benhocking]

Wow, that actually makes sense. I'll bet you cheated and RTFA, didn't you?

Re:

[solafide]

Randomness is measured statistically using multiple tests: see Knuth, Art of Computer Programming Volume 2, Chapter 3 for a thorough discussion of common statistical randomness tests, or here [fourmilab.ch] for a practical testing tool.

I don't expect this to be statistically random: they claim it's based on thermal noise. But the startup temperature of a computer does not have that much entropy, so the thermal noise isn't reliable. Just because something's garbage doesn't mean it's statistically random.

Re:

[Cyberax]

Thermal noise random number generators do not depend on temperature (unless cooled to liquid nitrogen temperatures). Normal room temperature provides quite enough random fluctuations for good generators.

Re:

[DerekLyons]

Randomness is measured statistically using multiple tests: see Knuth, Art of Computer Programming Volume 2, Chapter 3 for a thorough discussion of common statistical randomness tests,

Keep in mind that there are several 'grades' of randomness. Something that is good enough for your average Monte Carlo analysis is likely sub par for serious cryptographic purposes.

Re:

[sholden]

You can do some stats on the output, for example: http://citeseer.ist.psu.edu/maurer92universal.html [psu.edu]

Re:

[morgan_greywolf]

Well, the theory goes something like this: the more wide and varied the seeds you feed to a random number generator, the more truly random your results. Many programs use a timestamp from the system clock as a seed, or even a timestamp as seed to put through the random number generator to get another random number that is used as a seed, etc. ad finitum. Of course, the system clock has only so much granularity, so based on that granularity there are a finite number of seeds for each 24 hour period. If yo

Re:

[wizardforce]

Also, this may be a stupid question, but I wonder how one measures the 'randomness' of a generator? Is there a unit that represents randomness? I mean, it would be seemingly impossible to do it using observation of the output so I guess all you can do is discuss how dependent it is on particular prior events and what they are, theoretically. Can you really say that this is 'more random' than another one because you have to know so much more before hand about the particular machine & its fingerprint in o

Re:

[kevmatic]

Yeah, it can be measured. There is no unit, though, as its a measure of entropy. So things are more or less random than something else. I imagine randomness studying program assign numbers to it. a random number is just a number; '1' might be randomly selected out of 1 through 6, but its still just 1. But random number sets are considered random if, for every number, the chances of a the number after it being, say 4, are 1 in 10. So if you have a random set and come across a 1, the probability the next nu

Re:

[ThosLives]

There is no unit, though, as its a measure of entropy.

Eh, well, the unit of entropy is actually "energy per temperature"*, so there are physical units associated with it. Of course, that's physical entropy, and I don't know that it's the same as "information entropy." If they're different, then I blame the folks that overload technical words.

That said, I always thought "random" simply meant "the next outcome is not predictable based on all previous measurements." Therefore the measure of "random" would b

Re:

[shadow_slicer]

Of course, that's physical entropy, and I don't know that it's the same as "information entropy."

You are probably referring the thermodynamical entropy, which is based on continuous state distributions. While in most cases continuous and discrete solutions are closely related (allowing summations to be replaced with integrals and vice versa), it has been shown in this case that these notions of entropy are not comparable (the limit of the discrete entropy as the number of divisions goes to infinity also go

Re:

[sdedeo]

Entropy is fascinating. It's proportional to the logarithm of the number of microstates, but until the advent of quantum mechanics, there was not good way to number the microstates of a given physical system. Once you have the uncertainty principle, you can divide the phase space up into little chunks of volume (Planck's constant)^(dimensions) and count it that way.

Another way to put it is that before the advent of quantum mechanics, every measurement of entropy was only meaningful in a relative, differe

Method to measure randomness

[mpapet]

Dieharder http://www.phy.duke.edu/~rgb/General/dieharder.php [duke.edu] is what I used.

I learned a heck of a lot working with dieharder especially considering my lack of mathematical acumen. The author and friends were unbelievably patient and helpful. In my book it's the best tool ever.

Debian package too!

Read Gleick's Chaos

[Weaselmancer]

Also, this may be a stupid question, but I wonder how one measures the 'randomness' of a generator?

Read James Gleick's Chaos.

There is a method in that book that describes how they extracted attractors from a stream of data. Here's how it works.

A team of researchers had a bathtub with a dripping faucet. They tuned the dripping until the drips fell at random intervals. Nothing rhythmic about it. As the drop broke away from the faucet, it was setting up a vibration in the remaining water that would

Re:

[mjsottile77]

"Also, this may be a stupid question, but I wonder how one measures the 'randomness' of a generator?" There are lots of places that talk about this. A simplistic explanation of what it means to be a good PRNG is simply to provide a sequence of numbers with no correlations that matches the desired distribution. (http://mathworld.wolfram.com/RandomNumber.html [wolfram.com]). Books on modeling and simulation often have good explanations of this. This page (http://csrc.nist.gov/rng/ [nist.gov]) has a good overview, including simpl

Re:

[Fweeky]

From the Wikipedia article:

Observing a sufficient number of iterates (624 in the case of MT19937) allows one to predict all future iterates

A proper cryptographically secure PRNG like Yarrow [wikipedia.org] shouldn't be guessable like this, and neither should this RNG, though they may not be "more effecient and faster", just "better".

Oblig. XKCD

[IcedTeaisgood]

http://xkcd.com/221/ [xkcd.com]

Re:

[KJE]

Oblig Dilbert: http://www.random.org/analysis/dilbert.jpg [random.org]

Re:

[Asmor]

One of my favorites... The alt-text in particular. For the lazy:

RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.

Re:

[ricky-road-flats]

Just wanted to say thanks - never heard of xkcd before, but am enoying it a lot!

Fatal error: not enought random available

[Tribbin]

OK, do we in this world have a problem with not sufficient randomness in our keys or something?

Natural Ice

[0100010001010011]

Is pretty low cost to get some randomness. Some friends like jug wine though. Although I'm extremely cheap, so I just go for 100 proof stuff. $12.00 and you can get a whole bottle of randomness.

This sounds nuts

[Man On Pink Corner]

The contents of a power-cycled DRAM cell are highly correlated to whatever was stored in it before power was lost. Geez, think about how a DRAM works... it's a capacitor (aka an integrator)! That's the last place I'd ever look for randomness.

Re:

[imbaczek]

Yeah, but the headline of the PDF says: "Initial SRAM state..."

Re:

[AmIAnAi]

TFA talks about SRAM, rather than DRAM. So there's no capacitor involved for data storage - each cell is a transistor-based state machine.

Re:

[imgod2u]

That actually depends on how long you power it off for....

Also depends on how the sense/charge refresh circuit is designed.

P(bit) vs. fabrication variations

[G4from128k]

I wouldn't assume that these fingerprints are as unique or pattern-less as one might hope (a fact discussed in the pdf). All of the RAM chips from a given wafer or given mask may share tendencies toward some patterns of the probability of a 0 or 1. These patterns may appear as correlations between rows and columns of a given chip. Location on the wafer (in the context of nonuniformities of exposure to fab chemicals) might also systematically affect the aggregate probabilities of 0 or 1 or the repeatability of the fingerprint. The quality of these fingerprints to be consistent or random might change from run to run and from manufacturer to manufacturer. Finally, I'd bet that the probabilities vary systematically with temperature -- e.g., the probability of a 1 increases for all bits as the chip's temperature increases.

This is a very interesting phenomenon, but a lot more data is needed to show that it provides consistent behavior.

The quality of randomness....

[HotNeedleOfInquiry]

Will vary with the length of time the computer has been off. There is a suprising amount of non-volatileness in DRAM. I liked Alan Touring's suggestion that all computers come equiped with a small radioactive source and detector. The random breakdown and emission of the source is an almost ideal random number generator. It wouldn't take a source any bigger than we now have in a smoke detector.

Re:

[flynns]

For the fifteenth time: SRAM! RTFA.

Oh, right; Slashdot. :\

I have a better solution

[imstanny]

Pick a question. Then keep asking that question to a politician. You should get truly randomized results. If you doubt me, just take a politician with an opposite stance, and repeat the process. The answers will not be polar opposites.
And consequently no information could be extracted that scenerio -- wow, I think I just proved that you can't transmit information across a quantum entanglement..

Re:

[mr_mischief]

Nah. All you proved is that career politicians are devoid of information, and you can't transmit the static they produce in any meaningful way.

Do you have any idea how expensive a politician is

[Overzeetop]

If you knew how much it cost to buy one, you'd realize why a low cost solution is so necessary.

Then again, if you paid enough for your politician, he'd be less random on your particular issue. Hmm.....

A VERY interesting idea...

[nweaver]

the true RNG properties rely on the fact that:

a: Many of the bits are sorta random, but physically random. So very biased coins, but true randomness.

b: With the right reduction function, you can turn a LOT (eg, 512 Kb) of cruddy random data to a small amount (128b-512b) of very high quality, well distributed random.

And the fingerprinting relies on the fact that:

a: Many other of the bits are physically random, but VERY VERY biased. So map where those are and record them and it is a very good fingerprint. And since it is all silicon process randomness going into that, it is pretty much a physically unclonable function.

Kevin Fu has some SMART grad students.

Re:

[Dirtside]

Kevin Fu has some SMART grad students.

I wonder how often they go around saying to people, "Whoa. I know Kevin Fu."

This is hardly random

[gillbates]

As an embedded engineer, I've encountered numerous cases where power cycling RAM did not alter the contents.

In fact, I've seen systems boot and run even after the power was cut for several seconds. Some types of SRAM and SDRAM have the ability to retain an (imperfect) memory image even at very low voltage levels. Sure, it's not guaranteed to be accurate by the manufacturer, but RAM "images" are a pretty well known phenomenon. In some cases, the contents of memory can be reconstructed even after the computer has been powered off and removed to a forensic laboratory.

This is not random at all. In fact, it's more likely to produce an easily exploitable RNG than anything else; I would not be at all surprised if the standard UNIX random number generator provided better security.

Re:This is hardly random

[tlhIngan]

As an embedded engineer, I've encountered numerous cases where power cycling RAM did not alter the contents.

In fact, I've seen systems boot and run even after the power was cut for several seconds. Some types of SRAM and SDRAM have the ability to retain an (imperfect) memory image even at very low voltage levels. Sure, it's not guaranteed to be accurate by the manufacturer, but RAM "images" are a pretty well known phenomenon. In some cases, the contents of memory can be reconstructed even after the computer has been powered off and removed to a forensic laboratory.

This is not random at all. In fact, it's more likely to produce an easily exploitable RNG than anything else; I would not be at all surprised if the standard UNIX random number generator provided better security.

I've had this bite me, and exploited it.

It bit me when booting into Windows CE - you'd power cycle the thing, and the OS would boot with the old RAM disk you had - we'd gotten to the point where we'd have the bootloader wipe the kernel memory so the data structures were all corrupted by the time the OS was trying to decide between mounting the RAM disk (object store) and starting fresh. It turns out that the longer an image is unchanged in RAM, the more likely the cells woudl be biased such that if you cycle the power on them, they're more likely to lean towards the way they were before power was cut.

The time I exploited it, I didn't have any way of logging. Logging to serial port caused issues (timing-sensitive code), so I logged to memory (and no, I had no filesystem running, so I couldn't log to file). My trick was to simply log to a circular RAM buffer. When it crashed, I would just power cycle and dump the RAM buffer. Even though the data was fresh, it was enough to make out what my debug message was trying to say (almost always perfect). This was readable after a brief power cycle, and was still readable after turning power off for nearly a minute. The characters got corrupted, but since it was regular ASCII, you could still make out the words.

Re:This is hardly random

[nickovs]

There are a couple of things to note here. Firstly, SDRAM and SRAM behave very differently. Synchronous dynamic RAM can retain charge in the capacitors for quite some time after being powered down and there is very little one can do about it, but the paper discusses static RAM. With static RAM there is a difference between being "powered off" and having the Vcc rail clamped to ground. Active clamping of the power line is much more effective at clearing the RAM than even just disconnecting it from the power supply, for reasons which become obvious when you look at a classic six transistor CMOS RAM circuit [wikipedia.org]. Without clamping, bias will remain for exactly the same reason that SRAM doesn't consume much power; current only flows when the data changes.

As for it being a good RNG; the state of RAM on power-up is probably a lousy "random number generator", but the statistics in the paper suggest it is a fairly good "source of randomness". There's a big difference between bias and unpredictability (think about dice with '1' on five of the sides and '0' on the remaining side). You wouldn't want to use the state without putting it through a compression function first, but it's a much better seed than using clock() [berkeley.edu]!

Not for PC's - yet

[AmIAnAi]

This technique is only usefull for deeply embedded systems where you have control of the hardware from power-on and are able to fingerprint your SRAM. PCs don't really have user-accessible SRAM (except for on-chip memory in SCSI or Ethernet controllers). Even if this were applicable to DRAM, by the time your OS loads, your DRAM state is already defined. It's a shame Intel's hardware RNG implemented in their firmware hubs (82802Ax) didn't catch on more.

The problem with random numbers

[operagost]

You can never be sure [random.org].

A suggestion for this blogger

[Quila]

Learn How To Use Capital Letters At The Beginning Of Sentences!

Our research group will answer questions soon...

[fubob]

We were surprised to suddenly get attention to this paper, but apparently Slashdot readers are watching the security seminar at UMass Amhest.

Anyhow, we will be answering questions in this thread. So if you have any questions, post them here and Dan Holcomb will get back to you as soon as he can.

Cheers,
-Kevin Fu

OK, first one, retention time...

[nweaver]

A couple of other posters mentioned the state storing across power cycles. Being too lazy to read the paper in enough detail to create a slashdot question:

This shouldn't affect the fingerprinting, because you fingerprint on the highly-biased cells.

But how does this biasing effect interact with the true RNG operation? Have you done retention time experiments?

also, DRAM is worse on the retension time, but is it perhaps still suitable for the fingerprinting? Have you evaluated this yet?

Re:Our research group will answer questions soon..

[Paul Crowley]

First, I'm sorry to bring this comment to your attention:

http://it.slashdot.org/comments.pl?sid=292837&cid=20543831 [slashdot.org]

I've only looked at one of them:

http://www.patentstorm.us/patents/6738294.html [patentstorm.us]

Second - what can you say about NH as an entropy distiler? Are there any nice provable properties that follow from it being a universal hash function?

Thanks for doing interesting work!

Don't follow the hype. Does not apply to PC's.

[rpp3po]

The original paper is much better than CmdrTaco's quick conclusions.
The described method is ONLY for SRAM (statical RAM), no DRAM, no SDRAM. You can find this on RFID chips and in a CPU'S cache, not in RAM. As there is no way to access a CPU's cache uninitialized, I can't see why this should be useful.
If you have to modify a CPU first, to allow access to it's unitialized caches (think about all the unwanted implications), it's much cheaper to just give it a thermal diode and register to poll (as most modern CPU's already have).
After all the described method is just another way of collecting thermal noise. As RFID's are custom designs most of the time, also there it would be cheaper to just use a thermal diode.
The only application for this would be if you had to develop strong crypto for legacy RFID chips.
Slashdot stories get worse by the day.

Re:

[bcrowell]

It's conceivable that at some point in the future there would be some kind of memory that would become popular on general-purpose PC's for which this technique would work. But even then, there are some other reasons why I'm thinking you wouldn't want to use this technique for a PC (as opposed to an RFID):

1. Users don't want to power-cycle their machines several times, and modify their BIOSes, so that they can install someone's crypto software.
2. The code to use this technique would either work or not work for

Fascinating idea, but not always cheep

[nickovs]

It's an interesting paper, and as a means of getting randomness for RFID processors it probably works well, but I'm not sure it's that cheap for most purposes. If you're having to build a new circuit to generate randomness then using an op-amp to compare the noise out of a pair of zener diodes is likely to be cheaper. If you already have an audio input you're not using you can keep that really cheap. Of course if you want really good randomness you should use an old smoke detector [slashdot.org].

Easy

[PPH]

Post a question on 'Ask Slashdot'.

and another few ways

[pakar]

If not implemented in hardware i do see some problems like how to get access to the page as a normal user.. In software there are easier ways...

1. IRQ's on the system since it started, for one or more more devices.
2. cpu-serial
3. check the number of cpu-cycles that passed since the seed-generator started (a bit like the chaos theory if you have many processes running)
4. uptime of the system
5. local time (do have have a little randomness due to variations op the local clock-circuit)
6. serial of the harddrive

How does this compare to what linux already does?

[merreborn]

Linux already uses hardware entropy sources like hard drive seek times and peripheral input to generate secure random numbers:

http://en.wikipedia.org/wiki//dev/random [wikipedia.org]

Another existing method of generating secure random numbers, used by the java VM, is starting and stopping threads and gathering statistics about how the OS allocates time to those threads, which has been shown to be fairly unpredictable.

Given the flaws with the method outlined by other posters... sounds like this really doesn't offer anything

It's all

[benow]

butterflies and artichokes to me.

Random Number

[kEnder242]

http://xkcd.com/221/ [xkcd.com]

HotBits

[The -e**(i*pi)]

The only way I know of generating truly random numbers (not psudorandom) is hot bits which works on the principle of single radioactive atoms decaying after a perfectly random, in every sense of the word, time. http://www.fourmilab.ch/hotbits/ [fourmilab.ch]

Re:

[JoelKatz]

There are quite a few ways of generating truly random numbers. They all basically boil down to three basic mechanisms. One is radioactive decay. Another is thermal noise. The last is direct quantum effects.

They vary in quality, but it really doesn't matter. With the proper post-processing, they all provide true randomness that is basically as good as randomness is possible to be.

Radioactive decay tends to be the most expensive and the least practical. Shot noise in a reverse-biased zener diode is generally

Iffy. H/W != "true" randomness

[mattr]

Just because it is hardware does not mean it is "true" randomness.
TFA did not say just how random it is.
The idea that the data is compromised enough that significant portions of it can be used to fingerprint, which is close to the opposite of the meaning of true randomness since it is based on a pattern, sounds to me like the more random components are in fact not so random.
In other words the jitter down near the threshold of signal discrimination may look real random but actually may look a lot like the sa

Old news - I have already been granted patents

[ironring]

This is a bit of old news. I have already authored and been granted several patents in this area.
6,906,962 Method for defining the initial state of static random access memory
6,828,561 Apparatus and method for detecting alpha particles
6,738,294 Electronic fingerprinting of semiconductor integrated circuits
I have several other ideas for application of this technology and would be happy to discuss if someone is interested.
Paul

Questions/requests

[Overzeetop]

(1) please tell me that you're joking, I don't have time to look up patent numbers right now.

(2) if you're not joking, were you some key figure at NE2 encryption, noted by an AC a few posts up?

I've observed this behavior in SRAM...

[The Master Control P]

I've assembled a small SRAM memory circuit as part of a computer and I've observed at least part of the behaviors he describes. In the circuit, both my address counters always initialize to zero. The first byte of the ram chip is always 11111111, the second always 00000000, and after that they are apparently random. But if you're going to *powercycle your ram* to get randomness, wouldn't it be simpler to just use a hardware stream generator?

Metastable flip-flops more appropriate?

[keithjr]

The article makes a short note on metastability [wikipedia.org], but wouldn't this be more appropriately applied to a register array of flip-flops, which are much more susceptible to falling into a metastable state, instead of a ram? If he's using the SRAM (he never clarifies), he's counting on the charge of a single capacitor being randomly dispersed in order to enforce randomness, not the properties of the transistors at all. Using flip-flop circuits by violating their setup/hold times seems like it'd be more effective

Re:933245789124398

[BadAnalogyGuy]

23423483837223429723432891023478343589435892

You would expect that, you fucking pervert.

Re:

[Debug0x2a]

Hey, I'm a 23423483837223429723432891023478343589435892 you insensitive clod!

Re:

[ShieldW0lf]

You hit the nail precisely on the head as to why this is a bunch of bollocks.

If the startup state of the RAM banks are so predictable that you can base a fingerprint on it, it's not even vaguely random, is it?

Re:Four

[ukatoton]

RTFA
There are 3 states the bits can fall into:

1. initially (almost) always 0
2. initially 0 or 1 with somewhat even probability
3. initially (almost) always 1

Using the bits that fall into category 2 to generate the number will result in a random number, as these are known to change randomly

since it is now known which bits will change with each power cycle, those bits can be used as a source of true randomness

Bits falling into the other two states are ignored for the random function and are used for the identification function.

Re:Four

[ajs]

I'm not entirely clear on why this is more interesting than just using timing like most of the rest of the world does. Perl has, for example, long used a setjmp/longjmp-based timing test for its Math::TrulyRandom [cpan.org] package by Matt Blaze and Don Mitchell of AT&T and of course most modern Unix-like systems implement /dev/random and /dev/urandom again based on timing. RFC1750 [ietf.org] has given useful directions on how to generate random numbers on generic hardware for well over a decade. I recall first reading this RFC, not long after it came out. It really changed my understanding of random numbers on computer hardware.

This just doesn't seem all that newsworthy, though it's cool enough as yet another random number generation technique, I suppose.

Re:

[ShieldW0lf]

You don't understand what random means, or the nature of the hardware you're looking at.

The level of electrical noise in the system at launch is predictable.

In some bits, the electrical noise is predictably higher than the tipping point to count it as "1".

In some bits it is predictably lower than the tipping point to count it as "0".

In some bits, it is predictably proximate to the tipping point to count it as either "1" or "0".

In ALL cases, it is predictable.

If I have a die that is weighted to land on 5 or

Re:

[edwdig]

In some bits, it is predictably proximate to the tipping point to count it as either "1" or "0".

In ALL cases, it is predictable.

If I flip a coin onto my hand, it's predictable that it will land on either heads or tails. That doesn't mean it's not random though.

Re:

[psmears]

If I have a die that is weighted to land on 5 or 6 almost every time, it's not random.

It is random, it just isn't fair.

What's more, you can use it to generate fair, random 0s and 1s: throw it twice, and if you get 5-6, that's a 0; if you get 6-5, that's a 1. If you get two of the same number (5-5/6-6), repeat from the start. Assuming the throws are independent (i.e. it has no memory), and the probabilities of 5&6 are both greater than zero, you'll get a 0 or 1 with equal probability.

The article plays a similar trick, but it uses a hash function to even out the probabilities...

MOD PARENT DOWN!

[Asmor]

Parent stole his joke from xkcd (posted above) without giving credit. Mod douche-nozzle parent down, please.

Re:

[leuk_he]

right....

Just i forgot the link, and the actual number, which by a random luck i choose the same....

Re:

[imbaczek]

I think I know the answer, but I've RTFA, so it doesn't count.

Re:

[Goaway]

Because the output of the method is not a truly random number. It is a number with some amount of randomness and some amount of regularity. To fingerprint, you look for the regularity, and to make random numbers, you refine the randomness through some kind of hash function.

Re:

[blueg3]

Here's trivial example of how a "truly random" output can also be a fingerprint. Imagine the random outputs are real numbers. Machine A produces a truly random output, evenly distributed between 0 and 1. Machine B produces a truly random output, evenly distributed between 7 and 10. Both are equally-good random numbers, but given the output, it's easy to tell which machine generated it.

Re:

[Stripe7]

Read the article, there are 3 states for bits of RAM at power up. 1. Always 0 2. 50/50 flipping between 0 and 1 3. Always 1 For fingerprint use 1 and 3 and mask out the flipping bits, for Randomness mask out the consistent bits.

Re:

[shystershep]

The problem with the last is that it's a constant, not random at all.